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Abstract of JP2003046536 

PROBLEM TO BE SOLVED: To sufficiently 
prevent various in-vehicle electric devices from 
being unauthorizedly accessed from the 
outside, while simplifying wiring of an in- 
vehicle communication system. SOLUTION: 
The in-vehicle communication system 1 
comprises an on-vehicle LAN 10 to which 
ECUs 1 1 to 37 in a vehicle are connected, a 
communication section 40 for communication 
with an out-vehicle device 3, and a gateway 
ECU 5 that is placed in between the on-vehicle 
LAN and the communication section and 
relays data communication. The gateway ECU 
authenticates the out-vehicle device, when 
write request for a program from the out- 
vehicle device to an ECU in the on-vehicle 
LAN via the communication section and 
enables the ECU being a program write object 
ECU to authenticate the out-vehicle device. 
Furthermore, the gateway ECU in the case of 
receiving communication data other than the 
program write request authenticates the out- 
vehicle device by itself, when discriminating 
the data are not destinated to the ECUs 31 to 
37 of an AVC system network. 
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(54) VEHICLE USE RELAY DEVICE AND IN-VEHICLE COMMUNICATION SYSTEM 

(57)Abstract: 

PROBLEM TO BE SOLVED: To sufficiently prevent 
various in-vehicle electric devices from being 
unauthorizedly accessed from the outside, while 
simplifying wiring of an in- vehicle communication 
system. 

SOLUTION: The in-vehicle communication system 1 
comprises an on-vehicle LAN 10 to which ECUs 1 1 to 
37 in a vehicle are connected, a communication 
section 40 for communication with an out-vehicle 
device 3, and a gateway ECU 5 that is placed in 
between the on-vehicle LAN and the communication 
section and relays data communication. The gateway 
ECU authenticates the out-vehicle device, when write 
request for a program from the out-vehicle device to 
an ECU in the on-vehicle LAN via the communication section and enables the ECU being 
a program write object ECU to authenticate the out-vehicle device. Furthermore, the 
gateway ECU in the case of receiving communication data other than the program write 
request authenticates the out-vehicle device by itself, when discriminating the data are not 
destinated to the ECUs 31 to 37 of an AVC system network. 
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* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the 
original precisely. 

2. **** shows the word which can not be translated. 
3. In the drawings, any words are not translated. 



CLAIMS 

[Claim(s)] 

[Claim 1]Repeating installation for vehicles characterized by comprising the following. 
Mounted LAN built by vehicles. 

It is the repeating installation for vehicles which relays communication between various 
electronic devices in vehicles connected with a device outside a vehicle which is arranged 
between communication apparatus which perform data communications between devices 
outside a vehicle, and is connected via this communication apparatus at mounted LAN, If 
there is an access request from a device outside a vehicle to an electronic device in 
vehicles in said mounted LAN, will identify the access point, and. The first identification 
device that judges whether it is an access request to an electronic device in said vehicles 
for which this access request needs attestation of a device outside a vehicle based on this 
discriminated result, If said first identification device judges said access request to be what 
needs attestation of a device outside said vehicle, The first authentication means that 
judges whether a device outside said vehicle is a device outside a vehicle to which access 
to an electronic device in said vehicles was permitted beforehand based on the first 
certification information transmitted from a device outside said vehicle, This first 
authentication means. [ whether a device outside said vehicle which has carried out the 
access request is judged to be the device outside a vehicle to which access to an electronic 
device in said vehicles was permitted beforehand, and ] If said first identification device 
judges said access request to be what does not need attestation of a device outside said 
vehicle, commo data transmitted via said communication apparatus from a device outside 
said vehicle, The first distribution means distributed to an electronic device in said vehicles 
of an access point. 

[Claim 2]An information system device for reporting information acquired from the exterior 
as an electronic device in said vehicles in said mounted LAN to a vehicle occupant, ** is 
connected with control system equipment for controlling vehicles, and said first 
identification device, If there is an access request to an electronic device in said vehicles, 
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this access request by identifying whether it is which access request of said information 
system device and said control system equipment, This access request judges whether it is 
an access request to an electronic device in said vehicles which needs attestation of a 
device outside said vehicle, and said first authentication means, If said first identification 
device judges said access request to be an access request to said control system 
equipment, The repeating installation for vehicles according to claim 1 judging whether a 
device outside said vehicle is a device outside a vehicle to which access to an electronic 
device in said vehicles was permitted beforehand based on the first certification information 
transmitted from a device outside said vehicle. 

[Claim 3]When there is an access request from a device outside said vehicle to an 
electronic device in said vehicles, this access request, The second identification device that 
judges whether it is a write request for writing in a parameter a program which operates 
with an electronic device in vehicles, or for electronic device operation in vehicles, If said 
second identification device judges an access request to an electronic device in said 
vehicles not to be said write request, Operate said first identification device, and if said 
second identification device judges an access request to an electronic device in said 
vehicles to be said write request, Based on the second transmitted certification information, 
from a device outside said vehicle, a device outside said vehicle which has carried out the 
write request, The second authentication means that judges whether it is the device outside 
a vehicle to which writing of a parameter a program which operates with an electronic 
device in said vehicles, or for said electronic device operation in vehicles was permitted, 
Only when it is judged that this second authentication means is the device outside a vehicle 
to which writing of a parameter a program which operates a device outside said vehicle 
which has carried out the write request with an electronic device in said vehicles, or for said 
electronic device operation in vehicles was permitted, The second distribution means that 
distributes commo data transmitted via said communication apparatus from this device 
outside a vehicle to an electronic device in said vehicles of an access point, The repeating 
installation for vehicles according to claim 1 or 2 characterized by preparation ******. 
[Claim 4]lf said second identification device judges an access request to an electronic 
device in said vehicles to be said write request, said second authentication means, If it 
judges whether a device outside said vehicle is a device outside a vehicle to which access 
to an electronic device in said vehicles was permitted beforehand based on said first 
certification information and a device outside said vehicle is a device outside a vehicle to 
which access to an electronic device in said vehicles was permitted beforehand, The 
repeating installation for vehicles according to claim 3 judging whether a device outside 
said vehicle which has carried out the write request is a device outside a vehicle to which 
writing of a parameter a program which operates with an electronic device in said vehicles, 
or for said electronic device operation in vehicles was permitted based on said second 
certification information. 

[Claim 5]Said second authentication means by comparing said first certification information 
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transmitted from a device outside said vehicle with certification information which self owns, 
If it judges whether a device outside said vehicle is a device outside a vehicle to which 
access to an electronic device in said vehicles was permitted beforehand and a device 
outside said vehicle is a device outside a vehicle to which access to an electronic device in 
said vehicles was permitted beforehand, Said second certification information transmitted 
from a device outside said vehicle is transmitted to an electronic device in said vehicles 
used as a write object of said program or said parameter, Make this electronic device in 
vehicles compare said second certification information with certification information which 
this electronic device in vehicles owns, and. Acquire this collated result from this electronic 
device in vehicles, and based on a this acquired collated result, The repeating installation 
for vehicles according to claim 4 judging whether a device outside said vehicle which has 
carried out the write request is a device outside a vehicle to which writing of a parameter a 
program which operates with an electronic device in said vehicles, or for said electronic 
device operation in vehicles was permitted. 
[Claim 6]A communications system comprising in the car: 
Mounted LAN built by vehicles. 

A communication apparatus which performs data communications between devices outside 
a vehicle. 

This communication apparatus. 

The repeating installation for vehicles according to any one of claims 1 to 5 which relays 
communication between various electronic devices in vehicles connected with a device 
outside a vehicle which is arranged between said mounted LAN and connected via said 
communication apparatus at said mounted LAN. 



[Translation done.] 
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JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1 This document has been translated by computer. So the translation may not reflect the 
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DETAILED DESCRIPTION 

[Detailed Description of the Invention] 
[0001] 

[Field of the lnvention]This invention relates to the repeating installation for vehicles which 
relays communication between the device outside a vehicle connected via a 
communication apparatus, and the various electronic devices in vehicles connected to 
mounted LAN. 
[0002] 

[Description of the Prior Art]ln vehicles in recent years, especially a car, a control device, 
information machines and equipment, audio equipment, The number of loading of the said 
various electronic devices in vehicles is increasing, and about the electronic device in 
vehicles the coordinated movements between devices or sharing of information. It is 
common to connect by a communication wire for exclusive use, and to build the network for 
information and telecommunications (what is called mounted LAN) so that information can 
be transmitted and received between [ each ] devices. 

[0003]lt follows on the network besides vehicles having progressed in recent years, The 
infrastructure which can acquire a variety of information required for each device in vehicles 
from the outside of vehicles is fixed, and the example which connects many electronic 
devices in vehicles provided with the walkie-talkie for communicating between the devices 
outside a vehicle to mounted LAN is increasing in connection with this. 
[0004]For example, a navigation device which can connect the cellular phone etc. which 
are used for the purpose of collecting neighboring store information from the Internet of a 
VICS walkie-talkie or the exterior which can receive the road traffic information provided 
from a vehicle information communication system (VICS), It is the on-board ETC unit etc. to 
which the ETC walkie-talkie for communicating between automatic fee accounting systems 
(ETC) was connected. 
[0005] 

[Problem(s) to be Solved by the lnvention]However, in the conventional mounted LAN, 
Since it had become the composition which carries out direct continuation to the mainly 
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used apparatus about the information in the walkie-talkie for acquiring a variety of 
information from the exterior, it has not arranged in the position of a request in the car, and 
the walkie-talkie had to carry out excessive wiring between a walkie-talkie and apparatus, 
and was inconvenient. 

[0006]ln order to cancel this problem, direct continuation of the walkie-talkie is carried out to 
mounted LAN, and how the device in mounted LAN which needs the information which the 
walkie-talkie received enables it to acquire required information from a walkie-talkie via that 
mounted LAN can be considered, for example. If it does in this way, it will be high, and also 
there will also be few wiring numbers, and the flexibility of the installed position of a walkie- 
talkie etc. will be settled convenience. 

[0007]However, it becomes possible to access each device connected to mounted LAN 
from the outside of vehicles via the walkie-talkie as it is such composition, and a possibility 
that the same problem as unlawful access to the network terminal which occur frequently in 
fields, such as the Internet, will occur is high in recent years. 

[0008]This invention is made in view of such a problem, and an object [ simplifying the 
wiring in a communications system in the car ] of this invention is to fully prevent unlawful 
access from the outside to the various electronic devices in vehicles in vehicles. 
[0009] 

[Means for Solving the Problem]ln the invention according to claim 1 made in order to attain 
this purpose, It is arranged between mounted LAN built by vehicles and a communication 
apparatus which performs data communications between devices outside a vehicle, 
Repeating installation for vehicles which relays communication between various electronic 
devices in vehicles connected with a device outside a vehicle connected via the 
communication apparatus at mounted LAN is equipped with the first identification device, 
the first authentication means, the first distribution means, and **. 

[0010]Namely, if repeating installation for vehicles of this invention has an access request 
to an electronic device in vehicles connected to mounted LAN from a device outside a 
vehicle, will identify the access point in the first identification device, and. Based on the 
discriminated result, an access request judges whether it is an access request to an 
electronic device in vehicles which needs attestation of a device outside a vehicle. 
[001 1]lf the first identification device judges the access request to be what needs 
attestation of a device outside a vehicle, repeating installation for vehicles, Based on the 
first certification information transmitted from a device outside a vehicle in the first 
authentication means, it is judged whether a device outside a vehicle is a device outside a 
vehicle to which access to an electronic device in vehicles was permitted beforehand. 
[0012]repeafmg installation for vehicles, when a device outside a vehicle in which the first 
authentication means has carried out the access request is judged to be the device outside 
a vehicle to which access to an electronic device in vehicles was permitted beforehand, 
When the first identification device judges an access request to be what does not need 
attestation of a device outside a vehicle, commo data transmitted via a communication 

http://www4.ipdl.inpit.go jp/cgi-bin/tran_web_^ 7/18/2008 



JP,2003-046536,A [DETAILED DESCRIPTION] 



Page 3 of 16 



apparatus in the first distribution means from a device outside a vehicle is distributed to an 
electronic device in vehicles of an access point. 

[0013]Therefore, the repeating installation for vehicles according to claim 1 can refuse 
access to an electronic device in the vehicles about access from a device outside a vehicle 
with which access to an electronic device in vehicles in mounted LAN is not permitted, 
before connecting a device outside a vehicle to mounted LAN. if it puts in another way, the 
repeating installation for vehicles can restrict access from the outside by attesting a device 
outside a vehicle by the first authentication means - a result - the exterior - unlawful 
access can be prevented. 

[0014]As a method of making it judging whether it is an access request to an electronic 
device in vehicles with which an access request needs attestation of a device outside a 
vehicle for the first identification device, For example, an electronic device in vehicles which 
needs attestation of a device outside a vehicle in repeating installation for vehicles is listed 
beforehand, and there is a method of making it judge whether, based on the list, attestation 
of a device outside a vehicle is needed for the first identification device. In addition, two or 
more independent networks are built according to a system of an electronic device in 
vehicles as mounted LAN, If repeating installation for vehicles is not passed at these 
networks, it prevents from accessing from the outside, It may be made to judge whether it is 
that to which an access request needs attestation of a device outside a vehicle for the first 
identification device when an access request makes it judge whether it is an access request 
to an electronic device in vehicles belonging to a network of which system. 
[0015]Certification information (password etc.) for every electronic device in vehicles is 
beforehand stored in repeating installation for vehicles, and authentication methods in case 
attestation of a device outside a vehicle is needed in this case include a method of making 
that certification information and certification information acquired from a device outside a 
vehicle compare with repeating installation for vehicles, for example. When certification 
information common to an electronic device in vehicles is stored in repeating installation for 
vehicles as another example and there is an access request [ need / a device outside a 
vehicle / to be attested ], a device outside a vehicle may be made to attest in common 
certification information regardless of an access point. 

[0016]ln addition, an information system device for reporting information which acquired an 
electronic device in vehicles connected to mounted LAN from the exterior to a vehicle 
occupant, It may be made to judge, when it classifies into control system equipment for 
controlling vehicles and an access request makes the first identification device identify 
which access request it is among an information system device and control system 
equipment whether attestation of a device outside a vehicle is necessity. 
[0017]ln this case, when [ according to claim 2 ] the first identification device judges an 
access request to be an access request to control system equipment like, it is good to 
constitute repeating installation for vehicles so that the first recognition means may attest a 
device outside a vehicle with a described method. 
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[0018]Thus, if it sets, control system equipment for controlling vehicles can be accessed 
only from a just device outside a vehicle which received attestation, and the repeating 
installation for vehicles can prevent unlawful access to control system equipment 
concerning a run of vehicles. By the way, although the technique of judging whether a 
device outside a vehicle needs to be attested by above identifying an access point was 
taken, also when it is better to attest a device outside a vehicle irrespective of an access 
point depending on kinds (kind of commo data, etc.) of access request from a device 
outside a vehicle, it thinks. 

[0019]For example, access requests are a program which operates with an electronic 
device in vehicles, a case where it is a write request for writing in a parameter for electronic 
device operation in vehicles (for example, conformity constant for operating a control 
system in vehicles exactly), etc. For this reason, in addition to the first identification device, 
the first authentication means, and the first distribution means, in the repeating installation 
for vehicles according to claim 3, the second identification device, the second 
authentication means, and the second distribution means are established. 
[0020]Namely, if the repeating installation for vehicles according to claim 3 has an access 
request to device empty vehicle both [ outside a vehicle ] inner electronic device, It is 
judged whether it is a write request for the access request to write in a parameter a 
program which operates with an electronic device in vehicles, or for electronic device 
operation in vehicles in the second identification device, If the second identification device 
judges an access request to an electronic device in vehicles not to be a write request, the 
second authentication means is made composition which operates the first identification 
device. 

[0021 ]lf an access request to an electronic device in vehicles is judged to be a write request 
of a parameter for a program or electronic device operation in vehicles, the second 
identification device this repeating installation for vehicles, Based on the second 
certification information transmitted from a device outside a vehicle, it is judged whether a 
device outside a vehicle which has carried out the write request in the second 
authentication means is a device outside a vehicle to which writing of a parameter a 
program which operates with an electronic device in vehicles, or for electronic device 
operation in vehicles was permitted. 

[0022]And only when it is judged that it is the device outside a vehicle to which writing of a 
parameter a program which operates a device outside a vehicle in which the second 
authentication means has carried out the write request with an electronic device in vehicles, 
or for electronic device operation in vehicles was permitted, A parameter a program as 
commo data transmitted via a communication apparatus in the second distribution means 
from a device outside a vehicle or for electronic device operation in vehicles is distributed to 
an electronic device in vehicles of an access point. 

[0023]Therefore, in the repeating installation for vehicles according to claim 3, When an 
access request is a write request of a parameter for a program or electronic device 
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operation in vehicles, Regardless of an access point, based on the second certification 
information, a device outside a vehicle can be attested and a program to a result and an 
electronic device in vehicles by unjust access and writing of a parameter for electronic 
device operation in vehicles can be prevented. 

[0024]Of course, when it is a write request from a just device outside a vehicle. Since it is a 
mechanism in which a parameter for a program or electronic device operation in vehicles is 
distributed to an electronic device in vehicles of an access point in the second distribution 
means, A valid user can be made to write in and update a program of an electronic device 
in vehicles, and a parameter for electronic device operation in vehicles simply according to 
the repeating installation for vehicles concerned, preventing writing of a parameter a 
program by unlawful access, and for electronic device operation in vehicles. 
[0025]For example, in the former, although a dealer etc. were making a program of an 
electronic device in vehicles update by apparatus for exclusive use, a program can be 
updated, without forcing upon a driver etc. a troublesome thing [ a thing ] vehicles are 
carried in at a dealer in vehicles with which such repeating installation for vehicles was 
incorporated. 

[0026]ln the repeating installation for vehicles according to claim 3, it is desirable to adopt a 
firm authentic method which can judge whether a device outside a vehicle is more certainly 
just in an authentic method when an access request is the writing of a parameter for a 
program or electronic device operation in vehicles. 

[0027]for this reason - being alike - for example - being according to claim 4, if the 
second identification device judges an access request to an electronic device in vehicles to 
be a write request like, If the second authentication means judges whether a device outside 
a vehicle is a device outside a vehicle to which access to an electronic device in vehicles 
was permitted beforehand based on the first certification information and a device outside a 
vehicle is a device outside a vehicle to which access to an electronic device in vehicles was 
permitted beforehand, It is good to constitute repeating installation for vehicles so that it 
may judge whether a device outside a vehicle which has carried out the write request is a 
device outside a vehicle to which writing of a parameter a program which operates with an 
electronic device in vehicles, or for electronic device operation in vehicles was permitted 
based on the second certification information. 

[0028]Thus, since a device outside a vehicle can be attested in two steps based on the first 
certification information and second certification information if repeating installation for 
vehicles is constituted, it can be distinguished more certainly whether a program and a 
write request of a parameter for electronic device operation in vehicles are the things from a 
just device outside a vehicle. Therefore, according to repeating installation for vehicles of 
this invention (claim 4), unlawful access to an electronic device in vehicles connected to 
mounted LAN can be prevented more certainly. 

[0029]Specifically, it is preferred according to claim 5 to constitute the repeating installation 
for vehicles according to claim 4 like. By comparing the first certification information that 
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owns certification information for the second authentication means to attest a device 
outside a vehicle in the repeating installation for vehicles according to claim 5, and has 
been transmitted from a device outside a vehicle with the certification information which self 
owns, It is constituted so that it may judge whether a device outside a vehicle is a device 
outside a vehicle to which access to an electronic device in vehicles was permitted 
beforehand. 

[0030]lf it judges that this second authentication means is the device outside a vehicle with 
which a device outside a vehicle was permitted beforehand access to an electronic device 
in vehicles, the second certification information transmitted from a device outside a vehicle 
will be transmitted to an electronic device in vehicles used as a write object of a parameter 
for a program or electronic device operation in vehicles. 

[0031 ]To an electronic device in vehicles which receives this second transmitted 
certification information. Certification information for judging whether a device outside a 
vehicle is a device outside a vehicle to which writing of a parameter for a program or 
electronic device operation in vehicles was permitted is memorized, and the second 
authentication means, An electronic device in vehicles is made to compare the second 
certification information with certification information which an electronic device in the 
vehicles owns by transmitting the second certification information. It is judged whether a 
device outside a vehicle which acquired the collated result from an electronic device in 
vehicles, and has carried out the write request based on an acquired collated result is a 
device outside a vehicle to which writing of a parameter a program which operates with an 
electronic device in vehicles, or for electronic device operation in vehicles was permitted. 
[0032]ln the repeating installation for vehicles according to claim 5 which attests a device 
outside a vehicle with such an authentication method. Since the second attestation is made 
to perform to the program or an electronic device in vehicles of a write object of a 
parameter, when repeating installation for vehicles should malfunction by unlawful access, 
an unjust program and writing of a parameter for electronic device operation in vehicles can 
be prevented. A device can be directly connected to mounted LAN and it can be prevented 
also to an act which is going to access unlawfully to an electronic device in vehicles. 
[0033]lf the repeating installation for vehicles according to any one of claims 1 to 5 
explained above is used, a communications system in the car which is equal to unlawful 
access can be built. Specifically The communication apparatus according to claim 6 which 
performs data communications for the repeating installation for vehicles according to any 
one of claims 1 to 5 between devices outside a vehicle like, What is necessary is to arrange 
between mounted LAN built by vehicles and just to make communication between various 
electronic devices in vehicles connected with a device outside a vehicle connected to the 
repeating installation for vehicles via a communication apparatus at mounted LAN relay. 
[0034]Under the present circumstances, if all the communication apparatus carried in 
vehicles are connected to repeating installation for vehicles, repeating installation for 
vehicles can relay all accesses from a device outside a vehicle, and all unlawful accesses 
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can be made to cope with it with repeating installation for vehicles. Therefore, in such a 
communications system in the car, unlawful access to an electronic device in vehicles can 
be prevented more certainly. 
[0035] 

[Embodiment of the InventionJThe example of this invention is described with a drawing 
below. Drawing 1 is a block diagram showing the composition of the communications 
system 1 in the car with which this invention was applied. 

[0036]As shown in drawing 1 , the communications system 1 of this example in the car, 
Mounted LAN 10 built by each electronic control (ECUs 11-37) installed in vehicles as an 
electronic device in vehicles, It is arranged between the communications department 40 for 
communicating between the devices 3 outside a vehicle, mounted LAN 10, and the 
communications department 40, and is ** constituted with gateway ECU50 which relays the 
data communications between each ECUs 1 1-37 in mounted LAN 10, and the device 3 
outside a vehicle. 

[0037]The above-mentioned ECU in the vehicles corresponding to each system is 
connected to the transmission line with the above-mentioned mounted LAN 10 [ common to 
a control system network, an AVC system network, a body system network, and each 
network, ** and others, ] built in vehicles. For example, ECU for vehicle control concerning 
a run of engine ECU11, ECT-ECU13, VSC-ECU15, ACC-ECU17, and circumference 
surveillance ECU 19 grade is connected to the control system network. 
[0038]Engine ECU11 is an engine control system which controls an engine here, ECT- 
ECU13 is a speed change controlling device which performs transmission control of an 
automatic transmission, and these are the so-called control devices of a power-train 
system. VSC-ECU15 is a control device which performs the attitude control and braking 
control of vehicles, ACC-ECU17 is a running control device which performs control in which 
vehicles are made to follow precedence vehicles, and these are the so-called control 
devices of a vehicle motion system. 

[0039]On the other hand, ECU for body control of meter ECU21 , anti-theft ECU23, and air- 
conditioner ECU25 grade is connected to the body system network. Meter ECU21 is 
various states of vehicles, such as the vehicle speed, an engine speed value, a switching 
condition of a door, and a shift range of a gearbox, for displaying on a display, and anti-theft 
ECU23, It is for supervising a vehicle state and a malicious person invading in vehicles, or 
sounding a warning sound, when trying to steal each apparatus in vehicles, or calling an 
external center in emergency dial, and air-conditioner ECU25 is for controlling an air- 
conditioner. 

[0040]ln addition, AVC system ECU belonging to the information machines and equipment 
which perform variety-of-information offers (an information display, reproduction, etc.) of 
navigation ECU31, audio ECU33, telephone ECU35, and ETC-ECU37 grade is connected 
to the AVC system network. Navigation ECU31 acquires map data from the map data 
storage (not shown) which comprises a DVD player connected to self, a CD player, etc., 
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and. It is ECU for displaying the map which acquires the information about the current 
position of vehicles from the GPS receiver (not shown) connected to the communications 
department 40, and expresses the current position of vehicles based on this on displays 
(not shown), such as a liquid crystal display connected to audio ECU33 mentioned later, for 
example. 

[0041]Navigation ECU31 acquires congestion information etc. from the VICS walkie-talkie 
41 grade mentioned later, It shows a driver to the gate location for ETC by displaying these 
information on a display with a map, or acquiring the position information on the gate for 
ETC, etc. from the ETC walkie-talkie 45 mentioned later, and displaying these information 
on a display. 

[0042]Next, according to the instructions as which audio ECU33 was inputted when a user 
operated the operation switch connected to the ECU concerned, It is for acquiring from the 
television radio walkie-talkie 43, and reproducing this with the loudspeaker system in 
vehicles, a liquid crystal display, etc. by controlling the tuner built in the television radio 
walkie-talkie 43 which mentions later the radio broadcasting program which a user desires, 
and a television broadcasting program. 

[0043]Telephone ECU35 is connected to the external device by which the walkie-talkie 47 
for a telephone was connected to the telephone network by communicating between the 
walkie-talkies 47 for a telephone mentioned later via the base transceiver station in a 
telephone network, It is for making it communicate through a telephone line between each 
ECU of mounted LAN 10, and an external device. 

[0044]ln addition, if the order information concerning fee collection, etc. are acquired from 
an ETC center via an ETC walkie-talkie (after-mentioned), ETC-ECU37, It is because a 
variety of information is read from the card reader etc. which answered this and were 
connected to self and this is sent out to an external ETC center via the ETC walkie-talkie 
45. 

[0045]As the communications department 40 of this example shows drawing 1 , then, two or 
more kinds of walkie-talkies, such as the VICS walkie-talkie 41, the television radio walkie- 
talkie 43, the ETC walkie-talkie 45, and the walkie-talkie 47 for a telephone, It is ** 
constituted with the external device terminal area 49 for connecting devices outside a 
vehicle, such as the service tool 5, into vehicles directly. 

[0046]The VICS walkie-talkie 41 comprises a radio wave beacon receiver, a light beacon 
receiver, etc. for, for example, receiving the road traffic information provided from VICS, 
and has composition which sends out the commo data from VICS acquired from these 
walkie-talkies to gateway ECU50. 

[0047]The television radio walkie-talkie 43 is provided with the tuner for receiving a 
television broadcasting signal and a radio broadcast signal, and the tuner is made the 
composition controlled by the above-mentioned audio ECU33 grade connected to mounted 
LAN 10. This television radio walkie-talkie 43 is made composition connectable with the 
external center which provides service of a video on demand in response to the instructions 
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from audio ECU33, and sends out the picture image data etc. which were acquired from 
these to gateway ECU 50. 

[0048]The ETC walkie-talkie 45 is a walkie-talkie for communicating between ETC centers, 
sends out the commo data from an ETC center to gateway ECU50, or transmits the data 
transmitted from mounted LAN via gateway ECU50 to the ETC center side. 
[0049]And the walkie-talkie 47 for a telephone is controlled by the above-mentioned 
telephone ECU, connects self to an external dial-up line network via a base transceiver 
station, and sends out the commo data from the dial-up line network to gateway ECU50. 
Here, the following is mentioned as access from the outside of the car performed via the 
walkie-talkie 47 for a telephone. 

[0050]For example, a vehicle owner inputs the instructions for starting an air-conditioner 
into the above-mentioned air-conditioner ECU25 in mounted LAN 10 from a cellular phone 
etc., and access in the case of carrying out remote control operation of the air-conditioner is 
mentioned. Access in case a user acquires composition data through a telephone line and 
reproduces this in audio ECU33 in vehicles etc. are considered. In addition, a user acquires 
the program which operates by each ECUs 1 1-37 in mounted LAN from an external center 
through a telephone line, this is installed in ECUs 11-37, and access in the case of writing 
in a program newly or updating it can be considered. 

[0051]Although each walkie-talkies 41, 43, 45, and 47 in the communications department 
40 were explained above, in the communications system 1 concerned in the car, the case 
where commo data without directions of a distribution destination (namely, access point) is 
received from the exterior in the communications department 40 can be considered. 
Therefore, what is necessary is to give the information about a distribution destination to 
commo data, and just to constitute the communications department 40, for example about 
the data of a specific kind without directions of each walkie-talkies 41-47 of a distribution 
destination, so that this may be transmitted to gateway ECU50 in coping with such a case. 
For example, when a TV signal is received, it is specifying a distribution destination as 
audio ECU33 etc. 

[0052]ln addition, the service tool 5 for the external device terminal area 49 to perform 
vehicles diagnosis, It comprises a connector for connecting the device outside a vehicle of 
the service tool 5 grade for updating the program in ECU to mounted LAN 10, and if the 
service tool 5 is connected, it has the composition of connecting the service tool 5 to 
gateway ECU50. 

[0053]lt is connected without the communications department 40 and mounted LAN 10, and 
gateway ECU50 has the composition for relaying the data communications between each 
ECUs 11-37 in mounted LAN 10, and the device 3 outside a vehicle, for example, gateway 
ECU50 has what is called a routing function - each system in mounted LAN - access to 
ECU in the network of the others in mounted LAN from ECU in a network is relayed. If there 
is a demand of access to ECU in a control system network in a body system network from 
ECU concretely, the commo data from ECU in a body system network will be transmitted to 
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ECU in a control system network. 

[0054]As a feature which this invention requires, this gateway ECU50 will perform the main 
routine shown in drawing 2 by own CPU, if the commo data which the communications 
department 40 received is acquired. The flow chart with which drawing 2 expresses the 
main routine performed by gateway ECU50, and drawing 3 , The flow chart with which 
called-program transmission processing is expressed by the main routine, and drawing 4 
(a) are a flow chart showing the individual authenticating processing called by the program 
transfer processing, and a flow chart with which drawing 5 expresses access-restriction 
processing. 

[0055]First gateway ECU50 in S1 10 the distribution destination of commo data, It reads in 
the commo data and it is judged whether a distribution destination (namely, access point) is 
what is listed by the in-the-car loading equipment list memorized by the own storage (this 
example memory) based on this (S120). An in-the-car loading equipment list here is a list 
about ECUs 1 1-37 connected to mounted LAN10. 

[0056]Here, if it judges that the distribution destination of commo data is not registered into 
an in-the-car loading equipment list, gateway ECU50 will end the processing concerned, 
after performing access-restriction processing (in detail after-mentioned) in S125. When it 
judges that the distribution destination of commo data is registered into the in-the-car 
loading equipment list, on the other hand, gateway ECU50, In S130 continuing, it is judged 
whether the commo data is commo data including the information about the write request of 
the conformity constant for operating exactly the control system in the information about the 
write request of the program which operates by ECU in mounted LAN 10, or vehicles. The 
write requests of a conformity constant here are things, such as a rewriting demand of an 
engine ignition-timing map, for example. 

[0057]And if it judges that a program or the information about the write request of a 
parameter is included in commo data, gateway ECU50 will perform program transfer 
processing ( drawing 3 ) in S140 next. Although only the write request of a program is 
explained about subsequent processings, these processings are performed in the same 
procedure, when it is a write request of a conformity constant. 

[0058]lf it shifts to program transfer processing, gateway ECU50 will demand the device 3 
outside a vehicle which has transmitted the write request of the program via the 
communications department 40 in S141 first to transmit a password to self as the first 
certification information, and will acquire a password from the device 3 outside a vehicle to 
it. 

[0059]Then, it is judged whether the password of gateway ECU50 corresponds with the 
password beforehand registered into self (gateway ECU50) in S143. About this password, 
the producer should just register the password peculiar to that gateway ECU50 into the 
gateway ECU50 concerned at the time of product shipment, for example. 
[0060]And when it judges that a password is not right (it is got blocked and the acquired 
password and the password registered beforehand are not in agreement) in S143, gateway 
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ECU50, If the processing concerned is ended and a password judges it as the right in S143 
after shifting processing to S169 and performing access-restriction processing ( drawing 5 ), 
processing will be shifted to S145, a program will be acquired from the device 3 outside a 
vehicle via the communications department 40, and a temporary storage will be carried out 
into an own memory. 

[0061]Then, gateway ECU50 performs individual authenticating processing ( drawing 4 ) in 
S150. If it shifts to individual authenticating processing, gateway ECU50 will require 
reception of a program of ECU (it is hereafter expressed as "write object ECU".) in mounted 
LAN 10 which the device 3 outside a vehicle makes the write object of the program in S151 
first. 

[0062]Thus, if gateway ECU50 requires reception of a program, write object ECU which 
received the demand will perform program reception which shows drawing 4 (b) a flow 
chart. The details of the individual authenticating processing which gateway ECU50 shown 
in drawing 4 (a) performs hereafter, and the details of the program reception shown in 
drawing 4 (b) will be explained in parallel. 

[0063]Write object ECU which received the request to receipt of the program, In order that 
the device 3 outside a vehicle which has carried out the write request of a program in S310 
first may distinguish whether it is the device 3 outside a vehicle to which the writing of the 
program was permitted beforehand, the second different certification information from the 
first certification information of the above is required of the device 3 outside a vehicle of 
write request origin. 

[0064]For example, when common key systems (DES method etc.) are adopted as an 
authentic method, write object ECU, In S310, generate the random number r and this is 
once memorized in an own memory, and this random number r is transmitted to the device 
3 side outside a vehicle with a demand of certification information, and it directs to return as 
certification information what enciphered the random number r with the common key K to 
the device 3 outside a vehicle. 

[0065]When requiring this certification information of the device 3 outside a vehicle, once, 
gateway ECU50 acquires that demand information from write object ECU, and transmits 
this to the device 3 outside a vehicle via the communications department 40 (S153). 
Gateway ECU50 will transmit this to write object ECU in S155, if certification information is 
acquired from the device 3 outside a vehicle as a response result to a demand of this 
certification information. 

[0066]On the other hand, write object ECU will compare this with the certification 
information memorized in the own memory, if certification information is acquired from the 
device 3 outside a vehicle via gateway ECU50 (S320) (S330). And if it judged whether 
attestation of the device 3 outside a vehicle was successful based on the collated result 
(S340), and attestation was successful, an authentication success will be notified to 
gateway ECU50 (S350) and attestation will not be successful, what attestation went wrong 
is notified (S355). 
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[0067]When the example in the case of attesting the above-mentioned common key system 
is explained concretely here, write object ECU, Judge whether it is in agreement with the 
random number r which decoded the certification information acquired from the device 3 
outside a vehicle with the common key K and in which this decrypted certification 
information generated it in S310, and if in agreement, It is reported that attestation of the 
device 3 outside the vehicle was successful noting that the device 3 outside a vehicle is a 
device outside a vehicle to which the writing of the program was permitted beforehand (it is 
Yes at S340). 

[0068]On the other hand, gateway ECU50 will judge whether the individual authenticating 
processing concerned was ended and the attestation by write object ECU was successful in 
S161 of program transfer processing ( drawing 3), if an authentication result (the notice of 
an authentication success or the notice of an authentication failure) is received from write 
object ECU in S157. 

[0069]That is, if gateway ECU50 will judge it as No by S1 61 , and will move processing to 
S169, if the notice of an authentication failure is received from write object ECU, and the 
notice of an authentication success is received from write object ECU, it will judge it as Yes 
by S161, and will move processing to S163. 

[0070]And in S163, gateway ECU50 transmits the program stored temporarily to write 
object ECU. Corresponding to this, write object ECU receives the program transmitted from 
gateway ECU50, and memorizes the program in the state which can be performed in an 
own memory (S360). 

[0071]Gateway ECU50 will verify whether write object ECU memorized the program 
correctly in S165, if write object ECU finishes memorizing a program. For example, 
gateway ECU50 verifies whether write object ECU memorized the program correctly by 
comparing whether the program which write object ECU remembered in the memory to be 
the contents of the program which self transmitted is an identical content. 
[0072]And if the program is memorized correctly, out of an own memory. If the program 
which transmitted in S163 is canceled (S167), the processing concerned is ended and the 
program is not memorized correctly (it is No at S165), the program again memorized in the 
own memory is read, and this is transmitted to write object ECU (S163). What is necessary 
is to stop the writing of a program and just to terminate the processing concerned, when the 
writing of a program does not work over multiple times. 

[0073]Next, processing when gateway ECU50 judges commo data not to be a write request 
of a program and a conformity constant in S130 (refer to drawing 2 ) (it is No at S130) is 
explained. As shown in drawing 2 , if gateway ECU50 judges it as No in S130, it will judge 
whether the distribution destinations (access point) of commo data are AVC system ECUs 
31-37 connected to the AVC system network in S170 continuing. 

[0074]Here, if it judges that distribution destinations are AVC system ECUs 31-37 (it is Yes 
at S170), gateway ECU50 will distribute commo data to AVC system ECU of a distribution 
destination in S175. When a distribution destination judges that they are not AVC system 
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ECUs 31-37 (it is No at S170), on the other hand, gateway ECU50, Via the communications 
department 40, the device 3 outside a vehicle which has transmitted the data is required to 
transmit a password to the addressing to ECU concerned, and the password as certification 
information is acquired from the device 3 outside a vehicle to it (S180). 
[0075]Then, it is judged whether the acquired password is the right by judging whether a 
password of gateway ECU50 corresponds with the password beforehand registered into 
self in S190. Gateway ECU50 may be made the composition compared with the same 
password as having used the password acquired from the device 3 outside a vehicle for 
comparing by S143 of the program transfer processing mentioned above, and it may be 
constituted so that it may be another and may compare. In this case, gateway ECU50 is 
made to memorize both the password beforehand used in the case of collation of S143, 
and the password used in the case of collation of S190. 

[0076]And if it judges that gateway ECU50 transmits data to ECU of a distribution 
destination (S200), and its a password is not right if a password judges it as the right (it is 
Yes at S190) (it is No at S190), access-restriction processing will be performed in S195, 
and the processing concerned will be ended. 

[0077]ln this access-restriction processing, gateway ECU50 operates, as shown in drawing 
5. Namely, it is judged whether gateway ECU50 had access more than n times (for 
example, 3 times) in the gateway ECU50 concerned within fixed time from the device 3 
outside a vehicle same at S410, If n accesses or more cannot be found (it is No at S410), in 
S420, it will transmit to the walkie-talkies 41-47 with which the communications department 
40 corresponds that there was unusual access which failed in attestation from the device 3 
outside a vehicle (operation of the walkie-talkies 41-47 corresponding to this is mentioned 
later), and the processing concerned will be ended. 

[0078]On the other hand, when there are n accesses or more, by (S410 Yes), It reports that 
access from the device 3 outside the vehicle is forbidden to the corresponding walkie- 
talkies 41-47 (S430), and the walkie-talkies 41-47 are made to keep from sending again the 
commo data from the device 3 outside a vehicle of the same access origin to gateway 
ECU50, and the processing concerned is ended to them. 

[0079]Each walkie-talkies 41-47 of this example which receive each above-mentioned 
notice of this access-restriction processing perform access control processing as shown in 
drawing 6 , and control access from the device 3 outside a vehicle. Drawing 6 is a flow chart 
showing access control processing. It is judged whether when the commo data as a 
demodulated result is acquired from a demodulator circuit, the walkie-talkies 41-47 acquire 
the information about the device 3 outside a vehicle of the transmitting origin included in 
commo data, and identify the transmitting origin (S510), and a transmitting agency is in an 
access-inhibit list in S520. Whenever this access-inhibit list receives the notice of an access 
inhibit from gateway ECU50, the walkie-talkies 41-47 update it one by one, and the walkie- 
talkies 41-47, The access-inhibit list which registered the device 3 outside a vehicle which 
was the target of the access inhibit into the own memory is held. 
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[0080]lf it judges that transmitting [ commo data ] origin is in an access-inhibit list in these 
S520, the walkie-talkies 41-47 will refuse access to gateway ECU50 of the device 3 outside 
a vehicle of a transmitting agency in S540 continuing. That is, the walkie-talkies 41-47 are 
canceled, without transmitting the commo data received from the transmitting origin to 
gateway ECU50. 

[0081]On the other hand, if it judges that there is no transmitting [ commo data ] origin in an 
access-inhibit list in S520, the walkie-talkies 41-47 will judge whether fixed time lapse is 
carried out, after the transmitting origin receives unusual access in S530 continuing. Fixed 
time here is set as time sufficiently shorter than the time at the time of judging whether n 
accesses or more had gateway ECU50 in S410. 

[0082]Here, if it judges that the fixed time after unusual access has not passed, the walkie- 
talkies 41-47 will move to S540, and will refuse access to gateway ECU50 of the device 3 
outside a vehicle of a transmitting agency. If it judges that the fixed time after unusual 
access has passed, or the notice of unusual access is not received on the other hand, 
processing will be moved to S550 and commo data will be transmitted to gateway ECU50. 
[0083]As mentioned above, although the communications system 1 of this example in the 
car was explained, The communications department 40 by which gateway ECU50 is 
connected to the device 3 outside a vehicle in this communications system 1 in the car, 
When relaying communication between mounted LAN10, the device 3 outside a vehicle if 
needed Access to each ECUs 1 1-37 of mounted LAN 10. Since it checks by acquiring a 
password for whether it is the device outside a vehicle to which (namely, data 
communications with each ECU) were permitted, unjust access to each ECUs 11-37 in 
mounted l_AN10 can be prevented. By having such composition, unjust access can be 
further prevented from the outside and such a system can consist of cheaply cases where 
the device 3 outside a vehicle is attested only by individual ECU. In addition, wiring in a 
communications system in the car can be lessened. 

[0084]Commo data programs in the communications system 1 of this example in the car, It 
is not related with the write request of a conformity constant, and when it is AVC system 
ECU (ECUs 31-37 connected to the AVC system network) for reporting the information 
which the distribution destination (access point) of commo data acquired from the exterior 
to a vehicle occupant, the device 3 outside a vehicle is not attested. 
[0085]Though artificiality was made with malicious intent by the commo data as long as it 
was commo data to AVC system ECUs 31-37, it is because the commo data does not 
affect the safety about a run of vehicles. It is because the processing load of gateway 
ECU50 will become high if the device 3 outside a vehicle is attested one by one if it takes 
that access to AVC system ECU is frequently performed from the outside into 
consideration. Of course, you may attest individually if necessary at each ECU. 
[0086]On the other hand, when the distribution destinations of commo data are ECUs other 
than AVC system ECU, it is made to attest the device 3 outside a vehicle with a password 
etc. (when it puts in another way and is ECUs 1 1-25 connected to the control system 
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network and the body system network) once at least. It is because each ECU connected to 
a control system network and a body system network is ECU in connection with vehicle 
control, so it needs the thing which required these ECUs unjustly and for which it is made 
not to be shifted and the traveling safety of vehicles is secured. 

[0087]Moreover [ especially ], in the communications system 1 of this example in the car, 
When commo data is a thing about the write request of a program and a conformity 
constant, access of the device 3 outside a vehicle is more severely restricted irrespective of 
the kind of ECU of a distribution destination by performing second attestation in addition to 
the first attestation with a password etc. Therefore, in the communications system 1 of this 
example in the car, the situations - the program which operates in ECU, and the conformity 
constant concerning vehicle control will be rewritten unjustly - can be prevented. 
[0088]ln addition, in this communications system 1 in the car, Since access from the device 
3 outside a vehicle with attestation going wrong [ much ] is forbidden with n authentication 
failures and he is trying not to input the commo data from the device 3 outside a vehicle into 
gateway ECU50 in the communications department 40, The problem of the processing load 
of gateway ECU50 increasing by unlawful access is solvable. 

[0089]Here, the relation of the communications system 1 of this example in the car and the 
communications system of this invention in the car which were explained above is as 
follows. First, the repeating installation for vehicles of this invention is equivalent to gateway 
ECU50 of this example, and the information system device of this invention, It is equivalent 
to AVC system ECUs 31-37 connected to the above-mentioned AVC system network, and 
the control system equipment of this invention is equivalent to each ECUs 11-25 connected 
to the above-mentioned control system network or the body system network. The access 
request of the device outside a vehicle is equivalent to the operation in which the device 3 
outside a vehicle transmits commo data to the communications department 40. 
[0090]And based on the distribution destination where gateway ECU50 has grasped the 
first identification device of this invention by S1 10, It is equivalent to the operation which 
judges whether a distribution destination is AVC system ECU as an information system 
device in S170, and the first authentication means is equivalent to the operation whose 
gateway ECU50 acquires the password as the first certification information in S180, and 
judges whether a password is the right in S190. The first distribution means is equivalent to 
processing of S200 performed when it is judged as Yes by S175 and S190 which are 
performed when gateway ECU50 judges it as Yes by S170. 

[0091]ln addition, the second identification device of this invention is equivalent to the 
processing operation of S130 to perform, and gateway ECU50 the second authentication 
means, When gateway ECU50 judges an access request not to be write requests, such as 
a program, while shifting a step to S170, when access requests are write requests, such as 
a program, it is equivalent to the operation which performs processing of S140-S161 . 
Gateway ECU50 shifts a step to S163 based on the decision result of S161, and the 
second distribution means is equivalent to the operation which transmits commo data 
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(program etc.) to ECU. 

[0092]As mentioned above, although the example of this invention was described, the 
repeating installation for vehicles and the communications system in the car of this 
invention are not limited to the above-mentioned example, and can take various modes. For 
example, although it had composition which attests the device 3 outside a vehicle with a 
password first in the above-mentioned example, the device 3 outside a vehicle may be 
attested with other authentication methods. If the device 3 outside a vehicle is attested with 
an authentication method more reliable than those, such as a common key system, 
authentication time may become long, but unlawful access to ECU in mounted LAN 10 can 
be prevented more certainly. 

[0093]ln addition, when write requests, such as a program, were received, are a different 
authentication method, and had composition which attests the device 3 outside a vehicle 
twice, but. In order to secure the safety about these writing, it may attest 3 times or more 
with a reliable authentication method, and the system concerned may be built only once so 
that the device 3 outside a vehicle may be attested with a very reliable authentication 
method. 



[Translation done.] 
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* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

LThis document has been translated by computer. So the translation may not reflect the 
original precisely. 

2.**** shows the word which can not be translated. 
3. In the drawings, any words are not translated. 



DESCRIPTION OF DRAWINGS 

[Brief Description of the Drawings] 

fDrawing 1] lt is a block diagram showing the composition of the communications system 1 
of this example in the car. 

[Drawing 2] lt is a flow chart showing the main routine which gateway ECU50 performs. 
[Drawing 3] lt is a flow chart showing the program transfer processing which gateway 
ECU50 performs. 

[Drawing 4] They are a flow chart (a) showing the individual authenticating processing which 
gateway ECU50 performs, and a flow chart (b) showing the program reception which write 
object ECU performs. 

[Drawing 5] lt is a flow chart showing the access-restriction processing which gateway 
ECU50 performs. 

[Drawing 6] lt is a flow chart showing the access control processing which each walkie- 
talkies 41-47 perform. 
[Description of Notations] 

1 [ - ECU, 40 / - The communications department, 41 , 43, 45, 47 / -- A walkie-talkie, 49 / - 
An external device terminal area, 50 / - Gateway ECU ] - A communications system in the 
car, 3 - The device outside a vehicle, 10 - Mounted LAN, 1 1-37 



[Translation done.] 
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m^^com^m^zm-rh m&z&tsmm?-? x-h 
hfrfofrimm^h. ft. zzx'\^m-&nm<7)&& 

ZfcDZbThh. 

[00 57] -5-lxTs ilfl-r"-^(C. Toy^X^ 
•fhb. y-h^x^ECU 5 0(4. &(=S140(rt 



rn^-^Aieiii^ (^3) sriifrf*. ft. 

II(;:ovvC(4. roy^A^&g^C^T^faag 

[00 583 y°v7?j±m8m\,zwfi-th t . y- h 

^x4 ECU 5 0(4. ^-f S14 ICt, aflg&4 0£ 
I3C. i#5S(C^-OfgSEtflgt LTA*7-F£i* 

[0 0 59] jglWT. y-h»7x^ ECU 5 0(4. SI 

4 3CT. fWU7-F*\ S# (y-f*7x-f EC 
U 5 0 ) iz^nbSM^titz^^V-Vb-^-t^b'o 

ft. 1 rc7)>'N , xv-K(cMtt(4. #1*. 
(4*. ssi D a a ai?$B#(c^^sKy- ^x^ecu5o 

£ <?■ *>y- h "7 x E C U 5 0 EWW \'X V - H 
[00 60] *l/C, S 1 4 3(2T^n , X'7-KA^IEL< 

x^ECU5 0(4. ^^rS 1 6 9lZ&ftLX. 

xMmm (115) ^ffUcmcsf&tjm^&TU 

5 1 4 3 (CT>n°X V- KjWE tV^ b W8ff-TI> t . 

S 1 4 5\>zWfs LXTn7yJ±Zm\mS3frt>mm& 

4 0Sri>LT5X#t. gt^^'irtC-^Mttti. 
[006l3i^T, y-h'7x-<ECU50(4. SI 

5oizxmmmmm (H4) zmmh. mmm® 

mizWfr-?Z>b. y-h^x^f ECU5 0(4. *-rsi 

5 1(CT. m^gS3^'roy5AW»3^akLT^ 
SfSLANlO^ECU (KIT. rfaJttEC 
Uj t«S-f*. ) fc. 7"o^5A<0S«&»*t*. 

[00 62 3 :^?(:y-'-h7x^ECU50^7o 
y9A<05«3*5S*^4 k . SSS^»«:»ii««E C 
U(4. 04 (b) t7D-f H^t7n/5AS 
®MI&llfM-4. tiT. 04 (a) C^tr'-S^x 
>f E C U 5 0 #!SfTT4ffl8!SSE*S<0SMi: . 04 

( b ) izijk-rT'vry^&mwmnimzM.ft txmm 

~?hZb\z~?&. 
[0 0633 7*0^5 AOSMS*Sr*»tfe»ii«*E 
CU(4. *fS3 1 0(CT. 7'n^7AcoSfiS*S:L 

[0064 3 mm. tmx&b ix&mmtt < d e 

S^x^) SJRfflUfc**, fMfECUIi. S3 1 
OCT, SLISrtr^cL. ClK&— B.. e#0^t'Jrt 

(cietrri. tftc ^oas r srigsEtsfRo^fc^c 

fc^eMlKr«»fl:L^fc<o*BlEflNBi: LXMOm- 



(8) 132003-46536 (P2003-46536A) 



i o o 6 5 ] zer>mEffim<r>m$i£imms.3 

LX*9&at3tztim-h ( S 1 5 3 ) . 4fc, ^-h 

^x-fEcu5o«. z<Dt&mm<om^tizm-htm 
m&b Lxwmw. 3 a»£B»»**ix»-f «. 1 . s i 

[00661-J, §&*f*ECUti, ^-h^x-YE 
CU 5 0£:frLT, m*H£S 3 4>83Ef»«S:K»*-4 
k (S3 20) , £*Ufc. iJpW^tUrtfclBttSn^ 
BBEflBBfcBg^r* (S330). fit, !ft£ISJIC 
, 3 &&&&&& LfcsWf frfeW L 

(S34 0) , BteMfe&L-CvtfU*. BB***y- 
h^x>(ECU5 0tiaL (S3 50) . VM&WBto 
L&Wxif , BfiEtfifelBtLfc; k £ffl*nf S ( S 3 5 
5) . 

[00 67] z.^x\ iM^mmttnimzffo 

OMSrftftWfcK^-t&t. «i*t#lECU<i, »tt§£ 

a 3 tixft Ltzwm* , ft^iHK t«f t t . i 

oa-^-ft LfcBSEflWR** . S 3 1 0 lirt L fcSLR r 

( S 3 4 0 T'Y e s ) , WWMtat 3 OfgEE#j£:»L 

[00681-J, y-b^x^fECU50ll S15 
7tT«i*ftRECU*»4,|giaS* (f£liEj£#)<OiI*nk 
t< lliSiiE&ljtajlSn) £gfrtl>k, SmiiS'JISIE^ 
3I*»TLT. ru^7AKi*«!ia (03 ) OS 16 1 
fcT , SiiM^E C UX'<Vl2.m t i&&}Ltzi)>&frt: ! f>ffi 

[00 69 3 y-h^x'f ECU50I4. s& 

*fflE C U*$>BlBfc&<oa3ai£®t«> k , SI 6 IT 
NokWrLT, 551^S1 6 9C»U #&*f£lEC 
Ufr6SSilJS«J<?5a*0«:«t4 k . S 1 6 1 T'Y e s k 
WrLT, ««I£S 1 6 3K^f. 

[00 70] *LT, S163fcfcV^T. h^x-f 
ECU50I1 -fSIEteLT^fcTo^A*, 
«*ECUfcaa«^-4. ft. dix(=«iEL.T. saw* 
ECUil ?-h«7x-f ECU5 0*»<<>ei8£ilTSrt: 
7 ,, o?"7A£§ff LT, g#<7)*^: 

y rtt=i!^far«5SrjR!Bt:r , IBtTf £ ( S 3 6 0 ) . 
[0071] tfc, y-hvx'fEcusoti, 

«ECU*«Tn^9A$-!EtlLi»i34k, S 1 6 5 C 
T, »&^ECUjWEL<rn^5A£KttLfc*»fc* 
?*»*«iEi-*. flUtf, y'-h^x-f ECUSOti, 
g^K&Lfcra^AOrtSk, §&*t*ECU# 
^ * U rttciBtt t fcr a ^7 A k #R-I*)£T** & *>k' 
?*»ag^1-*ikfc:J:0. »a«*ECU*qEL<7 , o 



[007 2] -£LT, jEU<Tn^5A*«E«$n-CV^ 
fUf, Bt^tyWij, S 1 63tTi^fiL^To 
^?A£tt*UC (S167). 3KJ&g£»7U IE 
L<To^7i>#iB1g$*tTV->&t-Wtl£ ( S 1 6 5TN 

o) . sflEi#^*urtt=ieii&ixjtm^Attt 

^JfJL, CI ftSrSii^ ECU CiMff-t £ ( S 1 6 
3) . ft. To^AO«&#«i&@togo-Cd2<^ 
**5rv>*§£-fc{±. Tn^i^SSSr^jtLT. ^tS^ 

[0073] ^C, S 1 30 (I2#!S) £T. 7 s - F 
•7x^EC.U5 0*qHST-^«rra^5A. 
OSS^T'te&^k^JirL* (S130tNo)t^ 

x-<ECU50li, S 1 3 0fcTNok¥<Jllrt£k. 
< S 1 7 0£T. iift-r-^SEflft (T7-fe.X5t) 

AVC^7h7-;C^§fl^AVC^ECU 
3 1 - 3 7 X'h h&Bfrt:>mrt 2. . 
[0 074 ] ZZX\ Sfi5b^AVCiRECU3 1—3 
7Tfcl>k s «rr&k (S170TYes) . y-h^ 
x>(ECU5 0i4, S 1 7 5KT. SM-T-^SriEfiifc 
OAVC*ECUt=M*S. -2k KlfifctfAVCjR 
ECU 3 1 *— 3 7T"{4 : 5rV'>k¥ , J8ff"f"'2) k (S170TN 
o) . y'-b-7x^ECU50ii. a<lSB4 0£*)-L 
T. *OT-*£j*fiLT#fc**hSai3fc:. SiEC 

3 A»feB3iEfll«k FSrTOWS ( S 1 8 

0) . 

[0075]IV^T, y-h7x^ECU5 0ll SI 
9 OCT, ilffc^ftfittSil/S^^V 
-Ft *»k" ^ *>£¥«rt 4 i k fc: i 0 » t 
fc/<X7-H)WEU»*»5*»f«H-*. ft, y-h"7x 
^ECU50t±. WV&m. 3 Ufc-»«*7- H 
Sr. ±S8Ufcrn^ACiSa!SlWS 1 4 3TSI6t4 

WS 1 4 seffl&nV&lzja^hJ^x*?— Vb, SI 9 
OO^O^ffll-vS/N-^7- K^Ts M^IE-ti^T** 

[007 6] -eUT. ^-^V-H^iEU^kfJISrrSk 
(S190T'Yes) . Y— Y 7 x^ E C U 5 0J4. -f 
-^$rffi«ftOECUlw5Sflt (S20 0) . 
F#EL<fr^kfJBrf*k (Sl90T'No) . si 
9 5(=TT^-fe^MIWlWtSH , fLT. SIS^S^^T 

[0077] ft, cor^-fe^WRa«uifc:*iv^r. y- 

h^x-f ECU5 0(4, H5JC*f i^fclM^-f*. SP 
*3, y-h-7x-fECU50(t S4 10CT. R— O 
*JW6H3*»4>SKy-h'7*-f ECU 5 0C, -j©^ 
HrtTnEI (Wt<f 3 0) Ja±«0T^-feX4*ft-5fc*^f 
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frnmLx. n®v±0)T9*xifi&\+hja (S4 1 o 

ximw&a. 3 J: vh-otiz t tmma a o conm-r h 
dhh»4 i -4 7 izmm < znizMm-rzmmM4 i - 
47<r>mmz-o^xitfm) lx. wssm^wr-t 

5. 

[00783 -U, nm±k<7)T?-tXWfo-o 
it (S4 1 OTYe s ) . n^hMW^A 1-4 HZ 
% 3 #>t <T>T 9 -b * Sr m±t h X 0 izMZa t 

T (S4 3 0) , »S4 1~4 7C, R— 7?-fe*7C 
^mn^S3A^WiIftf r -^&, y-h«7x4 ECU 
5 0fc-jgfci^£VU?£$-ttT, xtixmtKT-r 
5. 

[0 0 7 9] ifc, ^OT^-feX$iJliBMScO±l2#ii»] 
&»tft^BtW^>#*««4 1-4 7<iS6fc5rf ± 

■7*.x*MWth. ft, H6ti, r^-fe^W««fflii*t 
t7D-ft-ht*4. *SH*84 l-4 7ti. &m\S\ 

fix- * fc***i*afS3C^»#f4» 3 « fKSr 

E?#LT\ *<0Sifi5cSrlM«L ( S 5 1 0 ) s S 5 2 0 

6. ft. iOT^-fe^*±U^H4. y-H7x^(EC 

u 5 ofrt>T?-txm±vm%it:%v&mz, *mm4 

l-4 7#S&55frLTV><t><7>Tfc>K *=S£^4 1- 

4 7l±, 'J PltC, T?-feXSI.ib£>tt*i: ! Sro 

fcmfl-ssg 3 z&muzT?-txm± oxh lt 
us. 

[0080] £<DS 5 2 0£fcVvC3ifl7-'-:?OjIft7C 

#r ? -t xm± vxvizhht mm-h t . %mm4i 

-4 7UU «< S 5 4 OCT , af85c<0*WK!t3 V>Y 
-N'7x-fECU5 0^r^-feX*JE5'tS. o4 

r- * 2" y- h «7 x 4 E C U 5 0 fcfiMW •& £ fc & < tt 

[0081]-J, S520CJ3V.T. jlflx-^coi* 
fl7C#7 ? -feX3l± fc&U fc WH'ti fc . iitttB 
41M7J1 «<S530Ct, *<0ilM37CJfi***7 
7 -fe ^ frgttT if ty-%ftffl1g& Ltz t> ^Tfc* A^tf 1 
SrWBrf*. ft. - iT"<7>-5£B#l3ti. y-h*>x4E 
CU5 0* J S4 1 OlZXn&WXtcOTf-tXtffc-otzfr 

[0082] ZZX\ m%T7-tx@r-%!smtm&L 

X^Zc^tVMt&t. «HS»4 1-4 7 {J. S54 0 
fc^tt LT . Sfg7C<D*$f$Sil 3 <oy- N x >f E C U 

5 0^cOT7-fe^^l§S-r^». R*T^-feAa- 

u=5r^fc¥'J»rf6fc. *!«l£S5 50lc^LT. jlflr 



[0083] JJLh, *llfl^f^Ify^fi, 1 to 

y-v»7x-f Ecuso^. mtgm.3izmmzti&m 

ftS84 0fc. «ttLAN10k<0l»i0Jlfifc+llH-6IR 
^CJStT*5'HBKI3jW*«LANl 0O#EC 
U 1 1 — 3 7^077-fe* (BP^. #ECUt^)f-^ 

nn-thztizx^mts.-th^v. wslanio^ 
#ecui l— 3 i^^ttrr-txzwiskthzt 
&X'%h. ttz. c\cr>±o %ffimz-fh ZklzXK). m 
gi]OE C U<fftWW«3 fclSEE-r*^.}: 0 i . 7h 

[0084]^. ^JfifiFlJcTJ^aft^^xA 1 T'(±, 

^4>»E»U)Wf«Sr*P«IIHfc*«rr*3t*^)AVCjR 
ECU ( AVCM7 }^-:?fc:£igE$:fX*:ECU3 1 
-3 7) -r-**«*(C, «J«l!I3<0BiESrff*>*^ 
ICLTU&. 

[008 5 ] *-tf*i?>». AVC^ECU3 1-3 7^ 
COMUt- fX'h&m*), ZcMiE?- ? ClSt'f^ 
tfi%2tLT^tz£LXl>, Zrmm-r-ftfMnwT&n 

tfz. A V C^E C U^7? t x^Si*^SSIi:ff 
ipixS £ fc Sr#E^v ^iifUf, v^*>v 3 cofg 
ESrlT P fc . y-N7x^ECU5 O^^SmW*^ 

ECU(CTIiSi|tl2SESrfi-5Ti*^V>. 
[0086] -~fj. jiftx-^OlSfi^'A VCIEC 

ujjw^e c ut***& ( Bim-r-S) fc . mim* y b 

■7-7. ^'f^^'y h7-?i:gfl$it/iECUl 1 
-2 5T-fci>*§£) tCf±. ^<fcfe, 

izmm. 5 #t 4 «■ E C U i±¥M$'JfflI 5 E C U 

htzth. ^lEiZZix^cOECU^tz-f^^tl^^^ 

iz l . mm<7>i&ff3&&zm&? hzt w&mtzfrhx- 
[0087] ttzmz. *mmm<7)i$Lftmm : sxTJ± 1 

H*fcrW^-4fc^T*i«^, lE<15t<?)ECUoa^fc 
4>-f. AX7- H^fc«t5»S-C0l21EfcllDiTm 
ZOEIiE&^^ifcfciD. m?mW.3<DT7-tx£J: 

K>mi<mmLx^. u^t, ^wiw^*rtai 

T L 4 3 * fc'O*® Kiht ■& i fc 5 . 
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[0088] znm. znmtomxisXT-Aiizisux 

x£n|I|«0BiE5cJft£t>->T*.itUC* Ifi»4 0lct 
mtmW. 3 *»fc*>jHB-r-* h x 4 E C U 5 0 

X f- Y *J x A E C U 5 0 C0tmfLfitfm& •» X L i ? 

[ o o 8 9 1 ;;t. vjLizwmLttmmvmftm 

li. *IWoy-^x^ECU50tfl3L. 
*UfcAVC*ECU3 l~3 7t£lS3U *^ B JO$UtSEP 

[ 0 0 9 0 ] * LT , *J8WW»-Wn^S{i, 7- h 
^x>f ECU50#S1 1 0TfflHLfcKB*l=*-? 
snott. EA&PflMBSiSSJ: LTOAVC 

^e c ur*&*»5*»*«Bhr sttf^fcffls t , ss-b 

K#Rtt. y-l^x-<ECU5 0#S 1 8 0£TS&- 
OBHflMRfc LTWtt7- H £Bf» U S 1 9 0 (CT 

an£®#a«\ y- h »7x •< E C U 5 0 **S 1 7 
OTYes fcfiJffiT LtzmzmiTh S 1 7 5 1 , S 1 9 
OT'Y e s fcfflR LfcflWHHrfi S 2 0 ODXHCffi 

[009 1 ] £«0fl&. *^HJ«0^-^ISiJ#g{±, y- K 
■>x-fECU50 jiP'Uff-t 4 S 1 3 0 "COMUllWtsfcrffl 
3U JKTBiE¥Sl±, y-h'>x'fECU50m 

:fc^o^7ASf <0*&B^*ofc*£l;: % S 1 4 0 
~~S 1 6 l<Q^*JB?t4»fffc:ffi3 , *-4. 9$ 
ZEE^KIi, y-h*7x-f ECU 5 0#S 1 6 lOfO 
WitSmizm-JZ , *T-yT«:S16 3fc:»*TLT. Sift 



"T4. 

[0092] ELL, *WBflSaiWfc:ov v tR!!BL£ 

4 :t«i 4 . ffiitf , isemwitz&^xiimrm 
&.3cDimzt~f'-<x r 7-\ i t,zx?Tomf&.t LtztK * 
cofccoimirmizxmtigm. 3 £fsn ut t i v\ ft® 

C$I!LAN 1 Ort^ECU/voTIT^-tX^IJ&ih-r 
4ik*5T§4. 

[009 3] icoi, ro^9^*«0«a5*&5SfSL 
®|gSEi-4*^i L/C* 5 . d*H$><D«&(c|JM-*££tt 

[HffloflMWriHin 

[0i] xmrnmompimmisx^A 1 

T'n -y?0T2&4. 

[02] y-h^x-f ECU 5 0^*11^4^^ >/U 

> o-f-r - h 4 . 

[03] y-h-)i>(ECU5 0^tl»7o/7 

[04] y-h^x-fEcus otfmn-? zmwm. 

»K*t7D-f+-h (a) fc. »&*f*ECUa* 
#ff-r47-a^7^.Sfi«!S$ra-r7n-^-^- b 
(b) T'J>4. 

[05] ECU5 0#H*r$-477-feX 

©JRBfc!yi£ft*f 7n-ft- hT£>4. 
[06] «-*Sia«4 1 -4 7 #>'^*i1-4 T ? 

[^<7)IK^] 

i-*rtii^fA, 3-m^s. io-wla 

N, 11-37-ECU, 4 0-»W.'4 1, 43. 

45, 47 -mum. 4 50-y 

-h^x-f ECU 
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